Executive Summary

On January 22, 2026, Okta and independent security researchers reported a surge in highly targeted vishing (voice phishing) attacks leveraging custom adversary-in-the-middle (AiTM) phishing kits to compromise Okta SSO (Single Sign-On) accounts. These attacks are orchestrated by multiple threat actors, including groups with a history of high-profile data breaches, and are primarily targeting organizations in the fintech, wealth management, financial, and advisory sectors. Attackers use real-time social engineering over the phone, combined with dynamic phishing sites, to harvest credentials and multi-factor authentication (MFA) codes, enabling unauthorized access to a wide range of business-critical cloud platforms. Once access is gained, attackers exfiltrate sensitive data—most notably from platforms such as Salesforce—and subsequently issue extortion demands to victim organizations. The technical evidence confirms the use of sophisticated phishing kits, real-time command and control (C2) infrastructure, and advanced social engineering tactics capable of bypassing even push-based MFA with number matching. All claims and timelines in this report are based on primary sources as of January 22, 2026 (BleepingComputer, Okta Official Blog).

Technical Information

The current campaign against Okta SSO accounts is characterized by a multi-stage, highly interactive attack chain that combines vishing and adversary-in-the-middle (AiTM) phishing. The attackers begin with reconnaissance, identifying target employees, the applications they use, and the phone numbers associated with their company’s IT support. This information is used to craft convincing pretexts and spoofed caller IDs, increasing the likelihood of successful social engineering (BleepingComputer).

The attack sequence unfolds as follows: The threat actor initiates a phone call to the target, impersonating IT staff and often using a spoofed corporate or helpdesk number. During the call, the attacker instructs the victim to visit a customized phishing site, typically named to resemble the company’s legitimate internal resources (e.g., “googleinternal[.]com” or “mygoogle[.]com”). These phishing sites are powered by custom AiTM kits that allow the attacker to control the authentication flow in real time, synchronizing the content displayed in the victim’s browser with the instructions given over the phone (Okta Official Blog).

As the victim enters their Okta SSO credentials, the information is immediately relayed to the attacker, often via backend infrastructure such as Telegram channels or a Socket.IO server (e.g., inclusivity-team[.]onrender.com). The attacker then attempts to log in to the legitimate Okta SSO portal. When prompted for MFA—whether a time-based one-time password (TOTP) or a push notification—the attacker updates the phishing site in real time to mirror the legitimate challenge. The attacker verbally instructs the victim to provide the required code or approve the push notification, effectively bypassing MFA protections. Notably, even push-based MFA with number matching is vulnerable, as the attacker can simply tell the victim which number to select, and the phishing kit updates the browser prompt to match (Okta Official Blog).

Once authenticated, the attacker gains access to the Okta SSO dashboard, which serves as a gateway to a wide array of enterprise applications, including Microsoft 365, Google Workspace, Dropbox, Salesforce, Slack, Zoom, Box, Atlassian Jira and Confluence, and Coupa. The attacker enumerates available applications and focuses on exfiltrating data from platforms with high-value or easily accessible information, such as Salesforce. In several documented cases, attackers have sent extortion emails to victim organizations, threatening to publish stolen data unless a ransom is paid. Some of these extortion demands have been signed by the ShinyHunters group, although direct technical attribution remains unconfirmed (BleepingComputer).

The technical sophistication of these attacks is underscored by the use of custom phishing kits sold as a service, enabling multiple intrusion actors to conduct similar campaigns. These kits provide a command and control (C2) panel for live manipulation of the phishing site, real-time credential and MFA code relay, and seamless synchronization with the attacker’s social engineering script. No traditional malware is deployed on the victim’s endpoint; the attack is entirely web-based and relies on exploiting human trust and real-time interaction.

Mapping these techniques to the MITRE ATT&CK framework, the campaign involves: reconnaissance (gathering victim identity and organizational information), initial access (vishing and AiTM phishing), execution (user visits malicious link), credential access (real-time interception of credentials and MFA codes), defense evasion (spoofed caller IDs and phishing sites, MFA bypass), discovery (enumeration of applications via the SSO dashboard), collection (data exfiltration from cloud platforms), exfiltration (over web services), and impact (extortion and threat of data publication).

The evidence supporting these findings is of high quality, with direct technical details and attack sequences confirmed by both Okta and independent security researchers. Attribution to ShinyHunters is supported by circumstantial evidence (signed extortion emails) and pattern analysis, but lacks direct technical linkage, resulting in medium confidence for direct attribution.

Affected Versions & Timeline

The attacks target organizations using Okta SSO as their identity provider, with no evidence that a specific version or configuration of Okta is immune if phishing-resistant MFA is not enforced. The campaign leverages weaknesses in human factors and non-phishing-resistant MFA, rather than exploiting a software vulnerability in Okta itself. The phishing kits are designed to target Okta, Google, Microsoft, and cryptocurrency platforms, and are adaptable to any organization using SSO with standard MFA.

The timeline of the current campaign is as follows: On January 22, 2026, both BleepingComputer and the Okta Official Blog published detailed reports on the attacks, confirming that the campaign was active at least in the weeks leading up to this date. Okta had previously issued private warnings to customer CISOs earlier in the same week. Similar vishing and AiTM phishing attacks have been observed since at least April 2025, with increasing sophistication and adoption of real-time session orchestration (Okta Official Blog).

Threat Activity

The threat activity is characterized by highly targeted, planned attacks against employees of organizations in the fintech, wealth management, financial, and advisory sectors. Attackers conduct reconnaissance to identify high-value targets and tailor their social engineering approach. The use of spoofed caller IDs and customized phishing sites increases the credibility of the attack, while real-time manipulation of the authentication flow enables the defeat of standard MFA protections.

Once access is gained, attackers enumerate the victim’s available applications via the Okta SSO dashboard and prioritize data exfiltration from platforms such as Salesforce. The attackers’ operational tempo is high, with immediate use of stolen credentials and rapid escalation to extortion if detected. Extortion demands are sent to victim organizations, threatening to publish stolen data unless payment is made. Some of these demands are signed by the ShinyHunters group, known for previous high-profile data breaches, although direct technical attribution remains unconfirmed (BleepingComputer).

The phishing kits used in these attacks are sold as a service and are available to multiple intrusion actors, increasing the scale and frequency of attacks. The kits’ ability to adapt in real time to the authentication flow and the attacker’s script makes them particularly effective against organizations relying on standard MFA.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Enforce phishing-resistant MFA for all access to Okta SSO and integrated applications. Recommended methods include Okta FastPass, FIDO2 security keys, and passkeys. These methods are resistant to adversary-in-the-middle and real-time social engineering attacks (Okta Official Blog).

High: Conduct regular and targeted security awareness training for all employees, with a focus on recognizing vishing and social engineering tactics. Emphasize that IT staff will never ask for credentials or MFA codes over the phone or direct users to unfamiliar login pages.

High: Implement network zones and tenant access control lists to restrict authentication attempts from anonymizing services and untrusted networks. Monitor for anomalous login attempts, especially those originating from unexpected locations or using new devices.

Medium: Review and harden helpdesk and IT support processes to prevent abuse of social engineering. Consider implementing live caller verification, where employees can independently verify the identity of IT staff through a separate, trusted channel.

Medium: Monitor for the registration of lookalike domains and phishing sites that mimic your organization’s internal resources. Use threat intelligence feeds and domain monitoring services to detect and respond to new phishing infrastructure.

Low: Encourage the use of password managers and unique, strong passwords for all accounts, reducing the risk of credential reuse across services.

Organizations should also review Okta’s published best practices and threat advisories for additional technical controls and response strategies (Okta Security Blog, Okta Official Blog).

References

BleepingComputer, Jan 22, 2026: https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/

Okta Official Blog, Jan 22, 2026: https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/

Okta Security Blog: https://www.okta.com/blog/threat-intelligence/help-desks-targeted-in-social-engineering-targeting-hr-applications/

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously assess, monitor, and respond to risks in their digital supply chain. Our platform supports the identification of emerging threats, the evaluation of vendor security posture, and the implementation of controls to mitigate risks associated with identity providers, cloud platforms, and social engineering attacks. For questions or further information, contact us at ops@rescana.com.